jeltz/aurore-logs
1
0
Fork 0
Code Issues Pull requests Releases Activity

Correction du cert-builder pour hôte tiers.

Browse source 
On accède à la configuration de `openssl_ca_host` via `hostvars`
et pas directement pour que le rôle fonctionne pour un hôte
différent de `openssl_ca_host`.
This commit is contained in:
jeltz 2020-09-20 14:27:39 +02:00
parent f2ccfbf2ec
commit 31db1c1e29
1 changed files with 25 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
roles/openssl-cert-builder/tasks/main.yml
View file

@ -39,49 +39,61 @@
- name: Download the CSR to local
fetch:
src: "/etc/ssl/csr/{{ certificate.slug }}.csr"
dest: "loot/csr/{{ certificate.slug }}.csr"
dest: "loot/csr/ext/{{ certificate.slug }}.csr"
flat: yes
- name: Create directories for CSRs and certificates
become: true
file:
state: directory
name: "{{ item }}"
owner: root
group: root
mode: u=rwx,g=rx,o=rx
loop:
- /etc/ssl/csr/ext
- /etc/ssl/certs/ext
- name: Upload the CSR to CA server
become: true
copy:
# FIXME: on devrait faire un répertoire "incoming" pour
# pas réecrire la CSR et le certificat de l'AC !
src: "loot/csr/{{ certificate.slug }}.csr"
dest: "/etc/ssl/csr/{{ certificate.slug }}.csr"
src: "loot/csr/ext/{{ certificate.slug }}.csr"
dest: "/etc/ssl/csr/ext/{{ certificate.slug }}.csr"
owner: root
group: root
mode: u=r,g=r,o=r
delegate_to: "{{ openssl_ca_host }}"
- name: Generate the certificate from CSR
become: yes
openssl_certificate:
ownca_privatekey_path: "/etc/ssl/private/{{ root_ca.slug }}.pem"
ownca_path: "/etc/ssl/certs/{{ root_ca.slug }}.pem"
csr_path: "/etc/ssl/csr/{{ certificate.slug }}.csr"
path: "/etc/ssl/certs/{{ certificate.slug }}.pem"
ownca_privatekey_path: "/etc/ssl/private/{{ hostvars[openssl_ca_host].root_ca.slug }}.pem"
ownca_path: "/etc/ssl/certs/{{ hostvars[openssl_ca_host].root_ca.slug }}.pem"
csr_path: "/etc/ssl/csr/ext/{{ certificate.slug }}.csr"
path: "/etc/ssl/certs/ext/{{ certificate.slug }}.pem"
owner: root
group: root
mode: u=r,g=r,o=r
provider: ownca
ownca_not_before: "{{ certificate.not_before }}"
ownca_not_after: "{{ certificate.not_after }}"
ownca_locality_name: "{{ root_ca.locality_name }}"
ownca_country_name: "{{ root_ca.country_name }}"
ownca_organization_name: "{{ root_ca.organization_name }}"
ownca_locality_name: "{{ hostvars[openssl_ca_host].root_ca.locality_name }}"
ownca_country_name: "{{ hostvars[openssl_ca_host].root_ca.country_name }}"
delegate_to: "{{ openssl_ca_host }}"
- name: Retrieve the certificate
fetch:
src: "/etc/ssl/certs/{{ certificate.slug }}.pem"
dest: "loot/certs/{{ certificate.slug }}.pem"
src: "/etc/ssl/certs/ext/{{ certificate.slug }}.pem"
dest: "loot/certs/ext/{{ certificate.slug }}.pem"
flat: yes
delegate_to: "{{ openssl_ca_host }}"
- name: Send the certificate to host
become: yes
copy:
src: "loot/certs/{{ certificate.slug }}.pem"
src: "loot/certs/ext/{{ certificate.slug }}.pem"
dest: "/etc/ssl/certs/{{ certificate.slug }}.pem"
owner: root
group: root